<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.6"/>
<title>libnetconf: NETCONF Access Control Module (NACM)</title>
<link href="../../tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="../../jquery.js"></script>
<script type="text/javascript" src="../../dynsections.js"></script>
<link href="../../navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="../../resize.js"></script>
<script type="text/javascript" src="../../navtree.js"></script>
<script type="text/javascript">
  $(document).ready(initResizable);
  $(window).load(resizeHeight);
</script>
<link href="../../search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="../../search/search.js"></script>
<script type="text/javascript">
  $(document).ready(function() { searchBox.OnSelectItem(0); });
</script>
<link href="../../doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
 <tbody>
 <tr style="height: 56px;">
  <td id="projectlogo"><img alt="Logo" src="../../libnetconf-logo.png"/></td>
  <td style="padding-left: 0.5em;">
   <div id="projectname">libnetconf
   &#160;<span id="projectnumber">0.10.0-146_trunk</span>
   </div>
   <div id="projectbrief">NETCONF Library</div>
  </td>
 </tr>
 </tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.6 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "../../search",false,'Search');
</script>
  <div id="navrow1" class="tabs">
    <ul class="tablist">
      <li><a href="../../index.html"><span>Main&#160;Page</span></a></li>
      <li class="current"><a href="../../pages.html"><span>Related&#160;Pages</span></a></li>
      <li><a href="../../modules.html"><span>Modules</span></a></li>
      <li><a href="../../annotated.html"><span>Data&#160;Structures</span></a></li>
      <li><a href="../../files.html"><span>Files</span></a></li>
      <li>
        <div id="MSearchBox" class="MSearchBoxInactive">
        <span class="left">
          <img id="MSearchSelect" src="../../search/mag_sel.png"
               onmouseover="return searchBox.OnSearchSelectShow()"
               onmouseout="return searchBox.OnSearchSelectHide()"
               alt=""/>
          <input type="text" id="MSearchField" value="Search" accesskey="S"
               onfocus="searchBox.OnSearchFieldFocus(true)" 
               onblur="searchBox.OnSearchFieldFocus(false)" 
               onkeyup="searchBox.OnSearchFieldChange(event)"/>
          </span><span class="right">
            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="../../search/close.png" alt=""/></a>
          </span>
        </div>
      </li>
    </ul>
  </div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
  <div id="nav-tree">
    <div id="nav-tree-contents">
      <div id="nav-sync" class="sync"></div>
    </div>
  </div>
  <div id="splitbar" style="-moz-user-select:none;" 
       class="ui-resizable-handle">
  </div>
</div>
<script type="text/javascript">
$(document).ready(function(){initNavTree('dd/d59/nacm.html','../../');});
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
     onmouseover="return searchBox.OnSearchSelectShow()"
     onmouseout="return searchBox.OnSearchSelectHide()"
     onkeydown="return searchBox.OnSearchSelectKey(event)">
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&#160;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&#160;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&#160;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&#160;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&#160;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&#160;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&#160;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&#160;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&#160;</span>Macros</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(9)"><span class="SelectionMark">&#160;</span>Groups</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(10)"><span class="SelectionMark">&#160;</span>Pages</a></div>

<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0" 
        name="MSearchResults" id="MSearchResults">
</iframe>
</div>

<div class="header">
  <div class="headertitle">
<div class="title">NETCONF Access Control Module (NACM) </div>  </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p>NACM is a transparent subsystem of libnetconf. It is activated using <a class="el" href="../../d3/d7a/netconf_8h.html#a4b36db75cd94b518671d692b66549aa6">NC_INIT_NACM</a> flag in the <a class="el" href="../../d3/d35/group__gen_a_p_i.html#ga40e32bd7c1404a76105b426219021cdc" title="Initialize libnetconf for system-wide usage. This initialization is shared across all the processes...">nc_init()</a> function. No other action is required to use NACM in libnetconf. All NACM rules and settings are controlled via standard NETCONF operations since NACM subsystem provides implicit datastore accessible with the <a class="el" href="../../db/d67/group__store.html#ga6e6e979bd82e50913c82b4dc37cb8759" title="Perform the requested RPC operation on the all datastores controlled by the libnetconf (created by nc...">ncds_apply_rpc2all()</a> function.</p>
<p>libnetconf supports usage of the system groups (/etc/group) in the access control rule-lists. To disable this feature, &lt;enable-external-groups&gt; value must be set to false:</p>
<div class="fragment"><div class="line">&lt;nacm xmlns=<span class="stringliteral">&quot;urn:ietf:params:xml:ns:yang:ietf-netconf-acm&quot;</span>&gt;</div>
<div class="line">  &lt;enable-external-groups&gt;<span class="keyword">false</span>&lt;/enable-external-groups&gt;</div>
<div class="line">&lt;/nacm&gt;</div>
</div><!-- fragment --><h1><a class="anchor" id="nacm-recovery"></a>
Recovery Session</h1>
<p>Recovery session serves for setting up initial access rules or to repair a broken access control configuration. If a session is recognized as recovery, NACM subsystem is completely bypassed.</p>
<p>By default, libnetconf considers all sessions of the user with the system UID equal zero as recovery. To change this default value to a UID of any user, use configure's <a class="el" href="../../d9/d87/install.html#configure-nacm-recovery">--with-nacm-recovery-uid</a> option.</p>
<h2><a class="anchor" id="nacm-recovery-init"></a>
Initial operation</h2>
<p>According to <a href="http://tools.ietf.org/html/rfc6536" title="RFC 6536">RFC 6536</a>, libnetconf's NACM subsystem is initially set to allow reading (permitted read-default), refuse writing (denied write-default) and allow operation execution (permitted exec-default).</p>
<dl class="section note"><dt>Note</dt><dd>Some operations or data have their specific access control settings defined in their data models. These settings override the described default settings.</dd></dl>
<p>To change this initial settings, user has to access NACM datastore via a recovery session (since any write operation is denied) and set required access control rules.</p>
<p>For example, to change default write rule from deny to permit, use edit-config operation to create (merge) the following configuration data:</p>
<div class="fragment"><div class="line">&lt;nacm xmlns=<span class="stringliteral">&quot;urn:ietf:params:xml:ns:yang:ietf-netconf-acm&quot;</span>&gt;</div>
<div class="line">  &lt;write-<span class="keywordflow">default</span>&gt;permit&lt;/write-<span class="keywordflow">default</span>&gt;</div>
<div class="line">&lt;/nacm&gt;</div>
</div><!-- fragment --><p>To guarantee all access rights to a specific users group, use edit-config operation to create (merge) the following rule:</p>
<div class="fragment"><div class="line">&lt;nacm xmlns=<span class="stringliteral">&quot;urn:ietf:params:xml:ns:yang:ietf-netconf-acm&quot;</span>&gt;</div>
<div class="line">  &lt;rule-list&gt;</div>
<div class="line">    &lt;name&gt;admin-acl&lt;/name&gt;</div>
<div class="line">    &lt;group&gt;admin&lt;/group&gt;</div>
<div class="line">    &lt;rule&gt;</div>
<div class="line">      &lt;name&gt;permit-all&lt;/name&gt;</div>
<div class="line">      &lt;module-name&gt;*&lt;/module-name&gt;</div>
<div class="line">      &lt;access-operations&gt;*&lt;/access-operations&gt;</div>
<div class="line">      &lt;action&gt;permit&lt;/action&gt;</div>
<div class="line">    &lt;/rule&gt;</div>
<div class="line">  &lt;/rule-list&gt;</div>
<div class="line">&lt;/nacm&gt;</div>
</div><!-- fragment --><p>More examples can be found in the <a href="http://tools.ietf.org/html/rfc6536#appendix-A">Appendix A. of RFC 6536</a>. </p>
</div></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
  <ul>
    <li class="footer">Generated on Fri Apr 15 2016 09:20:09 for libnetconf by
    <a href="http://www.doxygen.org/index.html">
    <img class="footer" src="../../doxygen.png" alt="doxygen"/></a> 1.8.6 </li>
  </ul>
</div>
</body>
</html>
